Link: Scribd fullscreen link from suspicious sender

Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history.

Sublime rule (View on GitHub)

 1name: "Link: Scribd fullscreen link from suspicious sender"
 2description: "Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links,
 9          (
10            .href_url.domain.root_domain == "scribd.com"
11            or strings.icontains(.href_url.query_params, 'scribd.com')
12            or strings.icontains(.href_url.query_params, 'scribd%2ecom')
13            or strings.icontains(.href_url.query_params, 'scribd%252ecom')
14          )
15          and strings.icontains(.href_url.fragment, 'fullscreen')
16  )
17  and not profile.by_sender_email().any_messages_benign  
18tags:
19 - "Attack surface reduction"
20attack_types:
21  - "Credential Phishing"
22tactics_and_techniques:
23  - "Free file host"
24  - "Social engineering"
25  - "Evasion"
26detection_methods:
27  - "URL analysis"
28  - "Sender analysis"
29id: "9e9bc972-d4e1-5bd0-96bc-b8b10e74b02a"

Related rules

to-top